On Mon, Feb 09, 2004 at 07:43:37PM +1100, Matthew Palmer wrote: > The problem is that IPSec requires that both source and destination ports for > an IKE connection be UDP 500. Now, with a sane NAT engine (*cough* iptables > *cough*) this works, because it tries to keep ports the same as much as > possible. However, Ciscos don't - you'll get a source port out of the NAT > router in the high range, which your other end will take one look at and go > "screw that and the horse it rode in on". > > The way to fix it is to configure the Cisco to do port forwarding of UDP 500 to > your IPSec machine inside, and initiate the connection from outside to the > public interface. That way both source and dest port will be 500, and your > IPSec boxes are none the wiser. > > Short of making NAT traversal work (and it's a PITA, if only by the fact that > there's several different "standards" for doing it), this is the best way if > you've got to make it work over a brain-dead NAT device. Naturally, this way > won't work for multiple separate VPN endpoints behind your NAT device, but it's > better than nothing.
Ok, I see what you mean now; since I'm forwarding UDP 500 to one machine, that machine is the only VPN endpoint. > Anyway, if you've got VPN connections flying all over the > place, then the network design probably needs to be rethought a little, to > accomodate those sorts of things more gracefully... I'm curious, how are other people doing this? Patrick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html